HyPoRes: An Hybrid Representation System for ECC P. Martins 1 J. - - PowerPoint PPT Presentation

HyPoRes: An Hybrid Representation System for ECC

• P. Martins1
• J. Marrez2

J.-C. Bajard2

• L. Sousa1

1INESC-ID, Instituto Superior Técnico, Univ. Lisboa 2Sorbonnes Université, CNRS, LIP6, Paris, France

26th IEEE Symposium on Computer Arithmetic

Acknowledgement

This work was partially supported by Portuguese funds through Fundação para a Ciência e a Tecnologia (FCT) with reference UID/CEC/50021/2019 and by the Ph.D. grant with reference SFRH/BD/103791/2014; by the ANR grant ARRAND 15-CE39-0002-01; through the Pessoa/Hubert Curien programme with reference 4335 (FCT)/40832XC (CAMPUSFRANCE); and by EU’s Horizon 2020 research and innovation programme under grant agreement No. 779391 (FutureTPM).

Table of Contents

Motivation Elliptic Curve Cryptography Residue Number System Background Montgomery Reduction Hybrid-Positional Residue Number System Proposed HyPoRes Experimental Results Protection against SCAs Conclusion

Elliptic Curve Cryptography

Point addition of two points over an EC defined in R

◮ Security based on the difficulty of computing n from [n]P and P for curves defined over a finite field FP

Residue Number System

ZB1 Zb1,0 Zb1,1 . . . Zb1,h1−1

RNS breaks arithmetic modulo B1 = b1,0 × . . . × b1,h1−1 down to arithmetic modulo b1,0, . . . , b1,h1−1

Bridging the Gap

ECC Operations FP P = B1 ZB1 RNS parallel arithmetic ◮ Montgomery Reduction Maps operations in FP to ZB1 for any P with complexity of O(log2

2 P);

◮ Hybrid-Positional Residue Number System (HPR) Uses P = Bn

1 − β to reduce

complexity to O(log3/2

2

P).

Bridging the Gap

ECC Operations FP P = B1 ZB1 RNS parallel arithmetic ◮ Montgomery Reduction Maps operations in FP to ZB1 for any P with complexity of O(log2

2 P);

◮ Hybrid-Positional Residue Number System (HPR) Uses P = Bn

1 − β to reduce

complexity to O(log3/2

2

P).

◮ Does not work for standardised primes

Table of Contents

Motivation Elliptic Curve Cryptography Residue Number System Background Montgomery Reduction Hybrid-Positional Residue Number System Proposed HyPoRes Experimental Results Protection against SCAs Conclusion

Montgomery Reduction

Q1 s.t. B1|A + Q1P Q1 = −AP−1 mod B1 Q2 = Q1 mod B2 Z2 = A+Q1P

B1

small Z1 = Z2 mod B1 A ∼ P2 O(h1h2) O(h1h2)

Complexity dominated by O(h1h2) with h1 ∼ h2 ∼ log2 P

Hybrid-Positional Residue Number System

A(0) + A(1) B1 + . . . + A(n−1) Bn−1

1

ZB1 × ZB2 ◮ D = A × C = D(0)+D(1)B1+. . .+D(n−1)Bn−1

1

+D(n)Bn

1 +. . .+D(2n−2)B2n−2 1

Hybrid-Positional Residue Number System

A(0) + A(1) B1 + . . . + A(n−1) Bn−1

1

ZB1 × ZB2 ◮ D = A × C = D(0)+D(1)B1+. . .+D(n−1)Bn−1

1

+D(n)Bn

1 +. . .+D(2n−2)B2n−2 1

◮ For P = Bn

1 − β:

D ≡

• D(0) + βD(n)

+

• D(1) + βD(n+1)

B1+. . .+D(n−1)Bn−1

1

Hybrid-Positional Residue Number System

A(0) + A(1) B1 + . . . + A(n−1) Bn−1

1

ZB1 × ZB2 ◮ D = A × C = D(0)+D(1)B1+. . .+D(n−1)Bn−1

1

+D(n)Bn

1 +. . .+D(2n−2)B2n−2 1

◮ For P = Bn

1 − β:

D ≡

• D(0) + βD(n)

+

• D(1) + βD(n+1)

B1+. . .+D(n−1)Bn−1

1

◮ Perform carry propagation to reduce the digits magnitude

Carry Propagation

D(i)

1

mod B1 D(i)

1

mod B2 C (i)

2

= D(i)

2 −D(i) 1

B1

C (i)

1

= C (i)

2

mod B1 D(i)

2

= D(i)

1

D(i+1)

2

= D(i+1)

2

+ C (i)

2

D(i+1)

1

= D(i+1)

1

+ C (i)

1

O(h1h2) O(h1h2)

Complexity dominated by O(n2(h1 + h2) + nh1h2) with nh1 ∼ nh2 ∼ log2 P

Table of Contents

Motivation Elliptic Curve Cryptography Residue Number System Background Montgomery Reduction Hybrid-Positional Residue Number System Proposed HyPoRes Experimental Results Protection against SCAs Conclusion

Hybrid Polynomial-Residue Number System

A(0) + A(1) X + . . . + A(n−1) X n−1 ZB1 × ZB2 a =

i=0 A(i)γi mod P

Hybrid Polynomial-Residue Number System

A(0) + A(1) X + . . . + A(n−1) X n−1 ZB1 × ZB2 a =

i=0 A(i)γi mod P

γ is the n-th root of a small value β over FP ⇒ X n − β ∼ = 0

Hybrid Polynomial-Residue Number System

γ is the n-th root of a small value β over FP ⇒ X n − β ∼ = 0 ◮ D = A × C = D(0)+D(1)X +. . .+D(n−1)X n−1+D(n)X n+. . .+D(2n−2)X 2n−2

Hybrid Polynomial-Residue Number System

γ is the n-th root of a small value β over FP ⇒ X n − β ∼ = 0 ◮ D = A × C = D(0)+D(1)X +. . .+D(n−1)X n−1+D(n)X n+. . .+D(2n−2)X 2n−2 ◮ D ≡ D − (D(n) + . . . + D(2n−2)X n−2) × (X n − β) ≡

• D(0) + βD(n)

+

• D(1) + βD(n+1)

B1 + . . . + D(n−1)Bn−1

1

Hybrid Polynomial-Residue Number System

γ is the n-th root of a small value β over FP ⇒ X n − β ∼ = 0 ◮ D = A × C = D(0)+D(1)X +. . .+D(n−1)X n−1+D(n)X n+. . .+D(2n−2)X 2n−2 ◮ D ≡ D − (D(n) + . . . + D(2n−2)X n−2) × (X n − β) ≡

• D(0) + βD(n)

+

• D(1) + βD(n+1)

B1 + . . . + D(n−1)Bn−1

1

◮ Perform Montgomery reduction to reduce the digits magnitude

Hybrid Polynomial-Residue Number System

◮ Lattice L(Γ) of the representations of zero Γ =      P . . . −γ 1 . . . . . . . . . ... . . . −γn . . . 1      ◮ Each line in Γ corresponds to either P = 0 mod P or −γi + X i, which when evaluated at X = γ produces a value congruent with 0 ◮ Minskowski’s theorem guarantees that L(Γ) contains a nonzero vector M of norm at most (detL(Γ))1/n = P1/n

Hybrid Polynomial-Residue Number System

Q1 s.t. B1|A + Q1 ⋆ M Q1 = −A ⋆ M−1 mod B1 Q2 = Q1 mod B2 Z2 = A+Q1⋆M

B1

small Z1 = Z2 mod B1 A with large digits O(nh1h2) O(nh1h2) ⋆ denotes multiplica- tion in Z[X]/(X n − β)

Complexity dominated by O(n2(h1 + h2) + nh1h2) with nh1 ∼ nh2 ∼ log2 P

Table of Contents

Motivation Elliptic Curve Cryptography Residue Number System Background Montgomery Reduction Hybrid-Positional Residue Number System Proposed HyPoRes Experimental Results Protection against SCAs Conclusion

Experimental Results

P383(P384)P448(P′

448)P521(P512)

1 2 3 4 5

• Exec. Time [µs]

Pure-RNS HyPoRes HPR

Average execution time of a pure-RNS and the proposed approaches for standardised primes, as well as of HPR with specially crafted primes on a i7-3770K

Table of Contents

Motivation Elliptic Curve Cryptography Residue Number System Background Montgomery Reduction Hybrid-Positional Residue Number System Proposed HyPoRes Experimental Results Protection against SCAs Conclusion

Protection against SCAs

◮ Choose γ as the root of E(X) = E (0) +. . .+E (n−1)X n−1 +X n ◮ Operate over Z[X]/(E(X)) instead of Z[X]/(X n − β) ◮ Choose a E at random at the beginning of point multiplication ◮ Change representations throughout the execution of the algorithm by precomputing representations of γi in the target system

Table of Contents

Motivation Elliptic Curve Cryptography Residue Number System Background Montgomery Reduction Hybrid-Positional Residue Number System Proposed HyPoRes Experimental Results Protection against SCAs Conclusion

Conclusion

Better Performance Pure- RNS HyPoRes HPR Weaker Assumptions ◮ HyPoRes multiplication has subquadratic time complexity ◮ Montgomery reduction is slower than carry propagation so HyPoRes is slower than HPR, but works for any prime ◮ Redundant representations are possible, improving resistance against SCAs

Thank you!

Any questions?